From f3e7b7854f9082f262b25ef12d7e50048e12fd79 Mon Sep 17 00:00:00 2001 From: Nikolai Prokoschenko Date: Tue, 13 Jun 2023 14:30:24 +0200 Subject: [PATCH] Add tests --- .test/ca-certificates-update/certs/README.md | 1 + .test/ca-certificates-update/certs/server.crt | 20 +++++++ .test/ca-certificates-update/certs/server.key | 28 +++++++++ .test/ca-certificates-update/container.sh | 2 + .../expected-std-out.txt | 1 + .test/ca-certificates-update/run.sh | 57 +++++++++++++++++++ .test/config.sh | 11 ++++ 7 files changed, 120 insertions(+) create mode 100644 .test/ca-certificates-update/certs/README.md create mode 100644 .test/ca-certificates-update/certs/server.crt create mode 100644 .test/ca-certificates-update/certs/server.key create mode 100644 .test/ca-certificates-update/container.sh create mode 100644 .test/ca-certificates-update/expected-std-out.txt create mode 100755 .test/ca-certificates-update/run.sh create mode 100644 .test/config.sh diff --git a/.test/ca-certificates-update/certs/README.md b/.test/ca-certificates-update/certs/README.md new file mode 100644 index 00000000..b60d1d3a --- /dev/null +++ b/.test/ca-certificates-update/certs/README.md @@ -0,0 +1 @@ +This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/server.key -out certs/server.crt` and is only used for testing diff --git a/.test/ca-certificates-update/certs/server.crt b/.test/ca-certificates-update/certs/server.crt new file mode 100644 index 00000000..73838f46 --- /dev/null +++ b/.test/ca-certificates-update/certs/server.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL +BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1 +aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ +kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s +N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI +hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy +Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw +me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR +w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB +o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU +r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d +kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT +DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb +WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ +CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU +ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg== +-----END CERTIFICATE----- diff --git a/.test/ca-certificates-update/certs/server.key b/.test/ca-certificates-update/certs/server.key new file mode 100644 index 00000000..4226cb96 --- /dev/null +++ b/.test/ca-certificates-update/certs/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCt86CaW41cQgTs +Fa+3uMaB1lb/Lmw3vwVyll0zxnYVq2+Mkq82Yn06SSQ5I0GEYoBakefX0kw11Dac +SZMcx62DSGJKpEiEFx4BjiUN87PEDJkYalXMv1TUH2Y6tfk7cR50XkBW+XQ1lWMT +CzC4ZpRrfNkEArJnlW//PwvDa5giz923DyVykQBvvwFnxsCGGGX5f61MYrxqCJss +ZAlP2X8nFLelfLCZ7hhopBBGC+6o5MS37H7RoDkTYRRM4arQuL6LWtqd/qi7kPP9 +jou1fBP+PZt/hlHDZgelhkvnhQS0xYRLYoCOxne7gMLFQgR9bwSDFQiFx6kgM/WH +TkDd9KJZAgMBAAECggEAAi4knsKpKn/xAATZO2LaFBcGZ0ji64Od/cduMB+w67PG +yxAsmNsnqX3GBzROq3+GOdG3LPCSastNNZduJq/HAuH69Ly15E1GNOvzQXHtmHZg +SzAhVqwK6WS3sI0xgZdOSSmZl1glkXqyRPMV333OUZbn68GykD331c8UZpTi5tlx +qdOSEWwXQyVXh2mTT8uWWvqJm8OVaSUEo0KPNhsfWliINAXaDvlFle18wb0sQvAK +d/49VMmEoQMocHcXas5jVHZZzxwQ8gV+cA1nFOzOEOYX1IyHjJdfEUWT7Pa3LEjg +rPjEe/KiA3X9mVmofRG0Gvl8YjMiUEOBF/p9hgUxfQKBgQDY3oBUpkwhy3lRw2nu +PublbozVZi12hrEPIlqLSIda6i0hbCA2E5VBykuP7z0VnQOiHQWQPJ77BYEzR6xw +Z/PoJJL8knxtqVg9FsQlcsseDNW2THp53vf/Fiy4t+GoJZ7yezVyYI7RzngDPnCw +buiYUsd9+uKo8+Gs0fnZGSuRvQKBgQDNVrS2/A8NKRv/3cddNqEN4m16pVmAJg8G +Ww7t40W9c/lPW2SBH7wpEUW37N3b8lv1A8L24nJSbqiMjIkFxWroeOeFFEzKWp9r +BlFUu0kn5oAOI1NJOEOmjR9+SslDXetKDJpon60GYWJ8ke5jfaYUTEWIxUXRYOsX +mg8+L2iGzQKBgQCrzWiAptU9GIJdoZ8znCUysKdlDvMJKJ7vzFlKagTAoy9pgMzr +ygu9+NJvjikoDCEqti8IGt4fIjc+NpOG4PM6fm7rI+jqvvMmQfjVaeE7RxOuvVtx +XI++RwTauOFNYbBPjAfFOnUqBJTSjQ6c1t/we/OJ+8y/56RqUlXKBMSdSQKBgQDD +Wz2dZduwCq9/0/FL5qB9hDHiYJPxDsR2qIVgoDyGjWLhNDM/ggDTFYK+BNXi3wbL +6aNAnZpkgLFM3puyaOtYd0bVXsXcMzG+cglI0tI76tlkGgmv/J6oQ1V2IxKuTBmB +ntH8vgWwr1Ay8efasf0jDJmPERhmpo2kK8daw2Hv9QKBgAaxusMUdCSBu5YwI6u4 +6d0nN6WdY2aVcgQXbhJEpsaxT9KqN+LP5wZNf08hyUiO4zSrfVOapOS+10Ng1EYi +YQi8SjQd5deIc/jKKT5k9lCRcfhDq7YQo5pZbUgzDDuxod0WduvBnrf4zAl+K32V +1HI3wrgh88qBEGASVY8y6rDH +-----END PRIVATE KEY----- diff --git a/.test/ca-certificates-update/container.sh b/.test/ca-certificates-update/container.sh new file mode 100644 index 00000000..05a7907c --- /dev/null +++ b/.test/ca-certificates-update/container.sh @@ -0,0 +1,2 @@ +#!/bin/bash + diff --git a/.test/ca-certificates-update/expected-std-out.txt b/.test/ca-certificates-update/expected-std-out.txt new file mode 100644 index 00000000..8a1be33a --- /dev/null +++ b/.test/ca-certificates-update/expected-std-out.txt @@ -0,0 +1 @@ +010100 diff --git a/.test/ca-certificates-update/run.sh b/.test/ca-certificates-update/run.sh new file mode 100755 index 00000000..bc29e6f6 --- /dev/null +++ b/.test/ca-certificates-update/run.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +set -o pipefail + +testDir="$(readlink -f "$(dirname "$BASH_SOURCE")")" +runDir="$(dirname "$(readlink -f "$BASH_SOURCE")")" + +# Find Java major/minor/build/patch version +# +# https://stackoverflow.com/a/74459237/6460 +IFS='"' read -r _ java_version_string _ < <(java -version 2>&1) +IFS='._' read -r \ + java_version_major \ + java_version_minor \ + java_version_build \ + java_version_patch \ + <<<"$java_version_string" + +# CMD1 in each run is just a `date` to make sure nothing is broken with or without the entrypoint +CMD1=date + +# CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore +if [ "$java_version_major" -lt 11 ]; then + # We are working with JDK/JRE 8 + # + # `keytool` from JDK/JRE 8 does not have the `-cacerts` option and also does not have standardized location for the + # `cacerts` file between the JDK and JRE, so we'd want to check both possible locations. + CACERTS=/opt/java/openjdk/lib/security/cacerts + CACERTS2=/opt/java/openjdk/jre/lib/security/cacerts + + CMD2=(sh -c "keytool -list -keystore $CACERTS -storepass changeit -alias dockerbuilder || keytool -list -keystore $CACERTS2 -storepass changeit -alias dockerbuilder") +else + CMD2=(keytool -list -cacerts -storepass changeit -alias dockerbuilder) +fi + +# +# We need to use `docker run`, since `run-in-container.sh` overwrites the entrypoint +# + +# Test run 1: No added certificates and not environment variable. We expect CMD1 to succeed and CMD2 to fail. +docker run "$1" $CMD1 >&/dev/null +echo -n $? +docker run "$1" "${CMD2[@]}" >&/dev/null +echo -n $? + +# Test run 2: Certificates are mounted, but the environment variable is not set, i.e. certificate importing should not +# be activated. We expect CMD1 to succeed and CMD2 to fail. +docker run --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null +echo -n $? +docker run --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null +echo -n $? + +# Test run 3: Certificates are mounted and the environment variable is set. We expect both CMD1 and CMD2 to succeed. +docker run -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null +echo -n $? +docker run -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null +echo -n $? diff --git a/.test/config.sh b/.test/config.sh new file mode 100644 index 00000000..5ea5ee23 --- /dev/null +++ b/.test/config.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +globalTests+=( + ca-certificates-update +) + +globalExcludeTests+=( + # nanoservcer/windowsservercore: updating local store with additional certificates is not implemented + [:nanoserver_ca-certificates-update]=1 + [:windowsservercore_ca-certificates-update]=1 +)